Pinner MCP
Created 5 months ago
A Model Context Protocol (MCP) server that can help pin 3rd party dependencies to immutable digests.
What is Pinner MCP?
A MCP server for pinning GitHub Actions and container base images to their immutable SHA hashes to prevent supply chain attacks.
Documentation
Pinner MCP
A Model Context Protocol (MCP) server that can help pin 3rd party dependencies to immutable digests.
Usage
Run as a container with stdio transport.
docker run -it --rm ghcr.io/safedep/pinner-mcp:latest
Cursor
Add the following to your .cursor/mcp.json file. You must enable the MCP server in the settings. Learn more here.
{
"mcpServers": {
"pinner-mcp-stdio-server": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"ghcr.io/safedep/pinner-mcp:latest"
]
}
}
}
Use a Composer prompt like the following to pin a specific commit hash.
Pin GitHub Actions to their commit hash
Pin container base images to digests
To update pinned versions, you can use a prompt like the following.
Update pinned versions of container base images
Tool Updates
Updates for the MCP server are automatically pushed to the latest tag on GitHub Container Registry. You must manually update your local container image to the latest version.
docker pull ghcr.io/safedep/pinner-mcp:latest
References
- Originally built to protect vet from malicious GitHub Actions
- mcp-go is a great library for building MCP servers
- Built and maintained by SafeDep Engineering
Server Config
{
"mcpServers": {
"pinner-mcp-server": {
"command": "npx",
"args": [
"pinner-mcp"
]
}
}
}